[FFmpeg-devel] [PATCH] libavformat/flacenc: reject too big picture blocks

Michael Niedermayer michael at niedermayer.cc
Tue Oct 29 13:03:49 EET 2019 

On Sun, Oct 27, 2019 at 10:06:11PM +0100, Mattias Wadman wrote:
> Think i messed up the formatting of the in-line patch somehow. Ill send the
> patch as an attachment instead. Hope reply and attach is ok?
> 
> On Sun, Oct 27, 2019 at 8:22 PM Mattias Wadman <mattias.wadman at gmail.com>
> wrote:
> 
> > A too big picture will case the muxer to write a truncated block size
> > (uint24)
> > causing the output file to be corrupt.
> >
> > How to reproduce:
> >
> > Write a file with truncated block size:
> > ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0
> > -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac
> >
> > Try to decode:
> > ffmpeg -i test.flac test.wav
> >
> > Signed-off-by: Mattias Wadman <mattias.wadman at gmail.com>
> > ---
> >  libavformat/flacenc.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git libavformat/flacenc.c libavformat/flacenc.c
> > index 93cc79bbe0..957bcb1123 100644
> > --- libavformat/flacenc.c
> > +++ libavformat/flacenc.c
> > @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s,
> > AVPacket *pkt)
> >      AVDictionaryEntry *e;
> >      const char *mimetype = NULL, *desc = "";
> >      const AVStream *st = s->streams[pkt->stream_index];
> > -    int i, mimelen, desclen, type = 0;
> > +    int i, mimelen, desclen, type = 0, blocklen = 0;
> >
> >      if (!pkt->data)
> >          return 0;
> > @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext
> > *s, AVPacket *pkt)
> >          desc = e->value;
> >      desclen = strlen(desc);
> >
> > +    blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 +
> > pkt->size;
> > +    if (blocklen >= 1<<24) {
> > +         av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n",
> > blocklen, 1<<24);
> > +        return AVERROR(EINVAL);
> > +    }
> > +
> >      avio_w8(pb, 0x06);
> > -    avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 +
> > pkt->size);
> > +    avio_wb24(pb, blocklen);
> >
> >      avio_wb32(pb, type);
> >
> > --
> > 2.22.0
> >

>  flacenc.c |   10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 4b8ce8290f9727383c669467ba5c8358ac12b156  0001-libavformat-flacenc-reject-too-large-picture-blocks.patch
> From ea7cfb4fde056fbfdc9c7970453176281a16df27 Mon Sep 17 00:00:00 2001
> From: Mattias Wadman <mattias.wadman at gmail.com>
> Date: Sun, 27 Oct 2019 20:00:06 +0100
> Subject: [PATCH] libavformat/flacenc: reject too large picture blocks
> 
> A large picture will case the muxer to write a truncated block size (uint24)
> causing the output file to be corrupt.
> 
> How to reproduce:
> 
> Write a file with truncated block size:
> ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac
> 
> Try to decode:
> ffmpeg -i test.flac test.wav
> 
> Signed-off-by: Mattias Wadman <mattias.wadman at gmail.com>
> ---
>  libavformat/flacenc.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git libavformat/flacenc.c libavformat/flacenc.c
> index 93cc79bbe0..957bcb1123 100644
> --- libavformat/flacenc.c
> +++ libavformat/flacenc.c
> @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt)
>      AVDictionaryEntry *e;
>      const char *mimetype = NULL, *desc = "";
>      const AVStream *st = s->streams[pkt->stream_index];
> -    int i, mimelen, desclen, type = 0;
> +    int i, mimelen, desclen, type = 0, blocklen = 0;

The initialization to 0 is useless


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

"You are 36 times more likely to die in a bathtub than at the hands of a
terrorist. Also, you are 2.5 times more likely to become a president and
2 times more likely to become an astronaut, than to die in a terrorist
attack." -- Thoughty2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191029/8863d3c2/attachment.sig>

More information about the ffmpeg-devel mailing list